PolicyKit 1.0

Summary

PolicyKit provides a flexible framework for granting users access to privileged operations. It is meant to replace the old userhelper approach, and overcome some of its shortcomings. PolicyKit 1.0 addresses architectural shortcomings of the initial PolicyKit design.

Matthias has produced patches for a number of PolicyKit clients (see below)

eggdbus, polkit and polkit-gnome packages have been reviewed.

Next steps:

write a notification icon

support for negative authorizations

port/rewrite the policy editor

Detailed Description

The initial Releases/FeaturePolicyKit as introduced in Fedora 8 has some shortcomings. E.g. it is based on a library with suid helpers. The shortcoming that motivated the rewrite is that it is not possible to integrate it with directory services such as FreeIPA. The new PolicyKit is implemented as a system bus service and has pluggable backends that make it easy to integrate with directory services. It is one of the goals of the Features/SSSD feature to write such a backend. PolicyKit 1.0 itself will ship with a backend that uses the local filesystem to store action definitions and authorizations, similar
to the current PolicyKit.

More details can be found in Davids
announcement of the PolicyKit 0.90 release.

The current plan is to land the new PolicyKit early in F12 (as soon as it opens up, basically), and have most of the patches ready to port applications. The old PolicyKit 0.9 packages can remain for a while to ease the transition period and will be removed a few months into F12, when all users have been ported.

Benefit to Fedora

Making it possible to manage policies in a central directory service makes Fedora more suitable for larger, centrally managed installations.

As a secondary benefit, the new PolicyKit api is much simpler to work with than the PolicyKit 0.9 api.

Scope

Package EggDbus, which is a dependency of the new PolicyKit

Package the new PolicyKit, making it parallel-installable with the current PolicyKit

Port supporting libraries such as PolicyKit-gnome and PolicyKit-kde to the new PolicyKit or obsolete them

How To Test

Make sure /usr/libexec/polkit-gnome-authentication-agent-1 is automatically started when you log in

Choose a operation that require authorization and are using PolicyKit, e.g. setting the system timezone in the clock applet

Try the operation and verify that you get a PolicyKit password dialog according to the policy

Test that entering the wrong password does not let you execute the operation

Test that entering the correct password lets you execute the operation

Verify that the authorization is remembered according to the policy for this operation, and that a statusicon informs you about currently remembered authorizations

Verify that you can drop the authorizations from the status icon

Try changing the policy for the operation using the policy configuration utility

Check that the policy changes are effective immediately

Verify that logging out and back in removes all remembered authorizations

Repeat these tests with other operations that require authorization, such as storing system connections in nm-applet or changing the default desktop background.

User Experience

The authentication dialogs that are shown by PolicyKit will change in some aspects. The 'retain authorization' checkboxes will likely go away and be replaced with a status icon in the style of consolehelper-gtk, that lets you inspect and drop your retained authorizations.

Dependencies

Features/SSSD not a hard dependency, but these two features will benefit from each other